Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.8

    MEDIUM
    CVE-2026-0729

    A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. Remote exploitatio... Read more

    • Published: Jan. 08, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2026-0733

    A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible t... Read more

    Affected Products : online_course_registration_system
    • Published: Jan. 09, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 6.8

    MEDIUM
    CVE-2025-68656

    Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the ... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 8.7

    HIGH
    CVE-2025-41078

    Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating o... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Authorization

  • 10.0

    CRITICAL
    CVE-2025-65091

    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or st... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 4.7

    MEDIUM
    CVE-2026-0513

    Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes l... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 3.8

    LOW
    CVE-2026-0504

    Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may ... Read more

    Affected Products :
    • Published: Jan. 13, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2026-22771

    Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These... Read more

    Affected Products : gateway
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 8.1

    HIGH
    CVE-2026-22687

    WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, ... Read more

    Affected Products : weknora
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Information Disclosure

  • 8.0

    HIGH
    CVE-2026-22029

    React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the ... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration

  • 6.8

    MEDIUM
    CVE-2025-68622

    Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configura... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 9.3

    CRITICAL
    CVE-2025-41006

    Imaster's MEMS Events CRM contains an SQL injection vulnerability in ‘phone’ parameter in ‘/memsdemo/login.php’.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-15502

    A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.8. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. Such manipulation of the argument Hostname leads to os ... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 5.4

    MEDIUM
    CVE-2025-14976

    The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. T... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Request Forgery

  • 8.8

    HIGH
    CVE-2026-0854

    Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.... Read more

    Affected Products :
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Injection

  • 4.8

    MEDIUM
    CVE-2025-14579

    The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (... Read more

    Affected Products : quiz_maker
    • Published: Jan. 12, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 4.8

    MEDIUM
    CVE-2025-15506

    A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs... Read more

    Affected Products :
    • Published: Jan. 11, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 4.8

    MEDIUM
    CVE-2025-15505

    A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The at... Read more

    Affected Products :
    • Published: Jan. 11, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2026-0822

    A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit ... Read more

    Affected Products : quickjs
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Memory Corruption

  • 6.5

    MEDIUM
    CVE-2026-22689

    Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) v... Read more

    Affected Products :
    • Published: Jan. 10, 2026
    • Modified: Jan. 13, 2026
    • Vuln Type: Misconfiguration
Showing 20 of 4287 Results